aws-sdk-paymentcryptography 1.8.0 → 1.10.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +10 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-paymentcryptography/client.rb +379 -203
- data/lib/aws-sdk-paymentcryptography/client_api.rb +33 -0
- data/lib/aws-sdk-paymentcryptography/endpoint_provider.rb +1 -1
- data/lib/aws-sdk-paymentcryptography/types.rb +292 -114
- data/lib/aws-sdk-paymentcryptography.rb +1 -1
- metadata +6 -6
@@ -434,14 +434,14 @@ module Aws::PaymentCryptography
|
|
434
434
|
# [2]: https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_DecryptData.html
|
435
435
|
#
|
436
436
|
# @option params [required, String] :alias_name
|
437
|
-
# A friendly name that you can use to refer a key. An alias must
|
438
|
-
# with `alias/` followed by a name, for example
|
439
|
-
# can contain only alphanumeric characters,
|
440
|
-
# underscores (\_), and dashes (-).
|
437
|
+
# A friendly name that you can use to refer to a key. An alias must
|
438
|
+
# begin with `alias/` followed by a name, for example
|
439
|
+
# `alias/ExampleAlias`. It can contain only alphanumeric characters,
|
440
|
+
# forward slashes (/), underscores (\_), and dashes (-).
|
441
441
|
#
|
442
|
-
# Don't include confidential or sensitive information in this
|
443
|
-
# This field may be displayed in plaintext in CloudTrail logs and
|
444
|
-
# output.
|
442
|
+
# Don't include personal, confidential or sensitive information in this
|
443
|
+
# field. This field may be displayed in plaintext in CloudTrail logs and
|
444
|
+
# other output.
|
445
445
|
#
|
446
446
|
# @option params [String] :key_arn
|
447
447
|
# The `KeyARN` of the key to associate with the alias.
|
@@ -482,7 +482,7 @@ module Aws::PaymentCryptography
|
|
482
482
|
# key state.
|
483
483
|
#
|
484
484
|
# When you create a key, you specify both immutable and mutable data
|
485
|
-
# about the key. The immutable data contains key attributes that
|
485
|
+
# about the key. The immutable data contains key attributes that define
|
486
486
|
# the scope and cryptographic operations that you can perform using the
|
487
487
|
# key, for example key class (example: `SYMMETRIC_KEY`), key algorithm
|
488
488
|
# (example: `TDES_2KEY`), key usage (example:
|
@@ -515,8 +515,8 @@ module Aws::PaymentCryptography
|
|
515
515
|
#
|
516
516
|
# @option params [Boolean] :enabled
|
517
517
|
# Specifies whether to enable the key. If the key is enabled, it is
|
518
|
-
# activated for use within the service. If the key not enabled, then
|
519
|
-
# is created but not activated. The default value is enabled.
|
518
|
+
# activated for use within the service. If the key is not enabled, then
|
519
|
+
# it is created but not activated. The default value is enabled.
|
520
520
|
#
|
521
521
|
# @option params [required, Boolean] :exportable
|
522
522
|
# Specifies whether the key is exportable from the service.
|
@@ -528,27 +528,29 @@ module Aws::PaymentCryptography
|
|
528
528
|
#
|
529
529
|
# @option params [String] :key_check_value_algorithm
|
530
530
|
# The algorithm that Amazon Web Services Payment Cryptography uses to
|
531
|
-
# calculate the key check value (KCV)
|
531
|
+
# calculate the key check value (KCV). It is used to validate the key
|
532
|
+
# integrity.
|
532
533
|
#
|
533
|
-
# For
|
534
|
-
# value
|
535
|
-
# order bytes of the encrypted result. For AES
|
536
|
-
#
|
537
|
-
#
|
538
|
-
# result.
|
534
|
+
# For TDES keys, the KCV is computed by encrypting 8 bytes, each with
|
535
|
+
# value of zero, with the key to be checked and retaining the 3 highest
|
536
|
+
# order bytes of the encrypted result. For AES keys, the KCV is computed
|
537
|
+
# using a CMAC algorithm where the input data is 16 bytes of zero and
|
538
|
+
# retaining the 3 highest order bytes of the encrypted result.
|
539
539
|
#
|
540
540
|
# @option params [Array<Types::Tag>] :tags
|
541
|
-
#
|
542
|
-
#
|
543
|
-
# tag
|
544
|
-
#
|
545
|
-
# tag key.
|
541
|
+
# Assigns one or more tags to the Amazon Web Services Payment
|
542
|
+
# Cryptography key. Use this parameter to tag a key when it is created.
|
543
|
+
# To tag an existing Amazon Web Services Payment Cryptography key, use
|
544
|
+
# the TagResource operation.
|
546
545
|
#
|
547
|
-
#
|
546
|
+
# Each tag consists of a tag key and a tag value. Both the tag key and
|
547
|
+
# the tag value are required, but the tag value can be an empty (null)
|
548
|
+
# string. You can't have more than one tag on an Amazon Web Services
|
549
|
+
# Payment Cryptography key with the same tag key.
|
548
550
|
#
|
549
|
-
# Don't include confidential or sensitive information in this
|
550
|
-
# This field may be displayed in plaintext in CloudTrail logs and
|
551
|
-
# output.
|
551
|
+
# Don't include personal, confidential or sensitive information in this
|
552
|
+
# field. This field may be displayed in plaintext in CloudTrail logs and
|
553
|
+
# other output.
|
552
554
|
#
|
553
555
|
# <note markdown="1"> Tagging or untagging an Amazon Web Services Payment Cryptography key
|
554
556
|
# can allow or deny permission to the key.
|
@@ -578,7 +580,7 @@ module Aws::PaymentCryptography
|
|
578
580
|
# verify: false,
|
579
581
|
# wrap: false,
|
580
582
|
# },
|
581
|
-
# key_usage: "TR31_B0_BASE_DERIVATION_KEY", # required, accepts TR31_B0_BASE_DERIVATION_KEY, TR31_C0_CARD_VERIFICATION_KEY, TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY, TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION, TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS, TR31_E1_EMV_MKEY_CONFIDENTIALITY, TR31_E2_EMV_MKEY_INTEGRITY, TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS, TR31_E5_EMV_MKEY_CARD_PERSONALIZATION, TR31_E6_EMV_MKEY_OTHER, TR31_K0_KEY_ENCRYPTION_KEY, TR31_K1_KEY_BLOCK_PROTECTION_KEY, TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT, TR31_M3_ISO_9797_3_MAC_KEY, TR31_M6_ISO_9797_5_CMAC_KEY, TR31_M7_HMAC_KEY, TR31_P0_PIN_ENCRYPTION_KEY, TR31_P1_PIN_GENERATION_KEY, TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE, TR31_V1_IBM3624_PIN_VERIFICATION_KEY, TR31_V2_VISA_PIN_VERIFICATION_KEY, TR31_K2_TR34_ASYMMETRIC_KEY
|
583
|
+
# key_usage: "TR31_B0_BASE_DERIVATION_KEY", # required, accepts TR31_B0_BASE_DERIVATION_KEY, TR31_C0_CARD_VERIFICATION_KEY, TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY, TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION, TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS, TR31_E1_EMV_MKEY_CONFIDENTIALITY, TR31_E2_EMV_MKEY_INTEGRITY, TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS, TR31_E5_EMV_MKEY_CARD_PERSONALIZATION, TR31_E6_EMV_MKEY_OTHER, TR31_K0_KEY_ENCRYPTION_KEY, TR31_K1_KEY_BLOCK_PROTECTION_KEY, TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT, TR31_M3_ISO_9797_3_MAC_KEY, TR31_M1_ISO_9797_1_MAC_KEY, TR31_M6_ISO_9797_5_CMAC_KEY, TR31_M7_HMAC_KEY, TR31_P0_PIN_ENCRYPTION_KEY, TR31_P1_PIN_GENERATION_KEY, TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE, TR31_V1_IBM3624_PIN_VERIFICATION_KEY, TR31_V2_VISA_PIN_VERIFICATION_KEY, TR31_K2_TR34_ASYMMETRIC_KEY
|
582
584
|
# },
|
583
585
|
# key_check_value_algorithm: "CMAC", # accepts CMAC, ANSI_X9_24
|
584
586
|
# tags: [
|
@@ -608,7 +610,7 @@ module Aws::PaymentCryptography
|
|
608
610
|
# resp.key.key_attributes.key_modes_of_use.unwrap #=> Boolean
|
609
611
|
# resp.key.key_attributes.key_modes_of_use.verify #=> Boolean
|
610
612
|
# resp.key.key_attributes.key_modes_of_use.wrap #=> Boolean
|
611
|
-
# resp.key.key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
|
613
|
+
# resp.key.key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M1_ISO_9797_1_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
|
612
614
|
# resp.key.key_check_value #=> String
|
613
615
|
# resp.key.key_check_value_algorithm #=> String, one of "CMAC", "ANSI_X9_24"
|
614
616
|
# resp.key.key_origin #=> String, one of "EXTERNAL", "AWS_PAYMENT_CRYPTOGRAPHY"
|
@@ -668,7 +670,7 @@ module Aws::PaymentCryptography
|
|
668
670
|
req.send_request(options)
|
669
671
|
end
|
670
672
|
|
671
|
-
# Deletes the key material and
|
673
|
+
# Deletes the key material and metadata associated with Amazon Web
|
672
674
|
# Services Payment Cryptography key.
|
673
675
|
#
|
674
676
|
# Key deletion is irreversible. After a key is deleted, you can't
|
@@ -679,13 +681,10 @@ module Aws::PaymentCryptography
|
|
679
681
|
# Services Payment Cryptography has a safety mechanism to prevent
|
680
682
|
# accidental deletion of a key. When you call this operation, Amazon Web
|
681
683
|
# Services Payment Cryptography disables the specified key but doesn't
|
682
|
-
# delete it until after a waiting period
|
683
|
-
# 7 days.
|
684
|
-
#
|
685
|
-
#
|
686
|
-
#
|
687
|
-
# If you delete key material, you can use ImportKey to reimport the same
|
688
|
-
# key material into the Amazon Web Services Payment Cryptography key.
|
684
|
+
# delete it until after a waiting period set using `DeleteKeyInDays`.
|
685
|
+
# The default waiting period is 7 days. During the waiting period, the
|
686
|
+
# `KeyState` is `DELETE_PENDING`. After the key is deleted, the
|
687
|
+
# `KeyState` is `DELETE_COMPLETE`.
|
689
688
|
#
|
690
689
|
# You should delete a key only when you are sure that you don't need to
|
691
690
|
# use it anymore and no other parties are utilizing this key. If you
|
@@ -739,7 +738,7 @@ module Aws::PaymentCryptography
|
|
739
738
|
# resp.key.key_attributes.key_modes_of_use.unwrap #=> Boolean
|
740
739
|
# resp.key.key_attributes.key_modes_of_use.verify #=> Boolean
|
741
740
|
# resp.key.key_attributes.key_modes_of_use.wrap #=> Boolean
|
742
|
-
# resp.key.key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
|
741
|
+
# resp.key.key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M1_ISO_9797_1_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
|
743
742
|
# resp.key.key_check_value #=> String
|
744
743
|
# resp.key.key_check_value_algorithm #=> String, one of "CMAC", "ANSI_X9_24"
|
745
744
|
# resp.key.key_origin #=> String, one of "EXTERNAL", "AWS_PAYMENT_CRYPTOGRAPHY"
|
@@ -756,69 +755,146 @@ module Aws::PaymentCryptography
|
|
756
755
|
req.send_request(options)
|
757
756
|
end
|
758
757
|
|
759
|
-
# Exports a key from Amazon Web Services Payment Cryptography
|
760
|
-
#
|
761
|
-
#
|
762
|
-
#
|
763
|
-
#
|
764
|
-
#
|
765
|
-
#
|
766
|
-
#
|
767
|
-
#
|
768
|
-
#
|
769
|
-
#
|
770
|
-
#
|
771
|
-
#
|
772
|
-
# ANSI X9 TR-
|
773
|
-
#
|
774
|
-
#
|
775
|
-
#
|
776
|
-
#
|
777
|
-
#
|
778
|
-
#
|
779
|
-
#
|
780
|
-
#
|
781
|
-
#
|
782
|
-
#
|
783
|
-
#
|
784
|
-
#
|
785
|
-
#
|
786
|
-
#
|
787
|
-
#
|
788
|
-
#
|
789
|
-
#
|
790
|
-
#
|
758
|
+
# Exports a key from Amazon Web Services Payment Cryptography.
|
759
|
+
#
|
760
|
+
# Amazon Web Services Payment Cryptography simplifies key exchange by
|
761
|
+
# replacing the existing paper-based approach with a modern electronic
|
762
|
+
# approach. With `ExportKey` you can export symmetric keys using either
|
763
|
+
# symmetric and asymmetric key exchange mechanisms. Using this
|
764
|
+
# operation, you can share your Amazon Web Services Payment Cryptography
|
765
|
+
# generated keys with other service partners to perform cryptographic
|
766
|
+
# operations outside of Amazon Web Services Payment Cryptography
|
767
|
+
#
|
768
|
+
# For symmetric key exchange, Amazon Web Services Payment Cryptography
|
769
|
+
# uses the ANSI X9 TR-31 norm in accordance with PCI PIN guidelines. And
|
770
|
+
# for asymmetric key exchange, Amazon Web Services Payment Cryptography
|
771
|
+
# supports ANSI X9 TR-34 norm and RSA wrap and unwrap key exchange
|
772
|
+
# mechanism. Asymmetric key exchange methods are typically used to
|
773
|
+
# establish bi-directional trust between the two parties exhanging keys
|
774
|
+
# and are used for initial key exchange such as Key Encryption Key
|
775
|
+
# (KEK). After which you can export working keys using symmetric method
|
776
|
+
# to perform various cryptographic operations within Amazon Web Services
|
777
|
+
# Payment Cryptography.
|
778
|
+
#
|
779
|
+
# The TR-34 norm is intended for exchanging 3DES keys only and keys are
|
780
|
+
# imported in a WrappedKeyBlock format. Key attributes (such as
|
781
|
+
# KeyUsage, KeyAlgorithm, KeyModesOfUse, Exportability) are contained
|
782
|
+
# within the key block. With RSA wrap and unwrap, you can exchange both
|
783
|
+
# 3DES and AES-128 keys. The keys are imported in a WrappedKeyCryptogram
|
784
|
+
# format and you will need to specify the key attributes during import.
|
785
|
+
#
|
786
|
+
# You can also use `ExportKey` functionality to generate and export an
|
787
|
+
# IPEK (Initial Pin Encryption Key) from Amazon Web Services Payment
|
788
|
+
# Cryptography using either TR-31 or TR-34 export key exchange. IPEK is
|
789
|
+
# generated from BDK (Base Derivation Key) and `ExportDukptInitialKey`
|
790
|
+
# attribute KSN (`KeySerialNumber`). The generated IPEK does not persist
|
791
|
+
# within Amazon Web Services Payment Cryptography and has to be
|
792
|
+
# re-generated each time during export.
|
793
|
+
#
|
794
|
+
# **To export initial keys (KEK) or IPEK using TR-34**
|
795
|
+
#
|
796
|
+
# Using this operation, you can export initial key using TR-34
|
797
|
+
# asymmetric key exchange. You can only export KEK generated within
|
798
|
+
# Amazon Web Services Payment Cryptography. In TR-34 terminology, the
|
799
|
+
# sending party of the key is called Key Distribution Host (KDH) and the
|
800
|
+
# receiving party of the key is called Key Receiving Device (KRD).
|
801
|
+
# During key export process, KDH is Amazon Web Services Payment
|
802
|
+
# Cryptography which initiates key export and KRD is the user receiving
|
803
|
+
# the key.
|
804
|
+
#
|
805
|
+
# To initiate TR-34 key export, the KRD must obtain an export token by
|
806
|
+
# calling GetParametersForExport. This operation also generates a key
|
807
|
+
# pair for the purpose of key export, signs the key and returns back the
|
808
|
+
# signing public key certificate (also known as KDH signing certificate)
|
809
|
+
# and root certificate chain. The KDH uses the private key to sign the
|
810
|
+
# the export payload and the signing public key certificate is provided
|
811
|
+
# to KRD to verify the signature. The KRD can import the root
|
812
|
+
# certificate into its Hardware Security Module (HSM), as required. The
|
813
|
+
# export token and the associated KDH signing certificate expires after
|
814
|
+
# 7 days.
|
815
|
+
#
|
816
|
+
# Next the KRD generates a key pair for the the purpose of encrypting
|
817
|
+
# the KDH key and provides the public key cerificate (also known as KRD
|
818
|
+
# wrapping certificate) back to KDH. The KRD will also import the root
|
819
|
+
# cerificate chain into Amazon Web Services Payment Cryptography by
|
820
|
+
# calling ImportKey for `RootCertificatePublicKey`. The KDH, Amazon Web
|
821
|
+
# Services Payment Cryptography, will use the KRD wrapping cerificate to
|
822
|
+
# encrypt (wrap) the key under export and signs it with signing private
|
823
|
+
# key to generate a TR-34 WrappedKeyBlock. For more information on TR-34
|
824
|
+
# key export, see section [Exporting symmetric keys][1] in the *Amazon
|
825
|
+
# Web Services Payment Cryptography User Guide*.
|
791
826
|
#
|
792
827
|
# Set the following parameters:
|
793
828
|
#
|
794
|
-
#
|
829
|
+
# * `ExportAttributes`: Specify export attributes in case of IPEK
|
830
|
+
# export. This parameter is optional for KEK export.
|
795
831
|
#
|
796
|
-
#
|
797
|
-
#
|
798
|
-
# Cryptography before you initiate TR-34 key export. If it does not
|
799
|
-
# exist, you can import it by calling ImportKey for
|
800
|
-
# `RootCertificatePublicKey`.
|
832
|
+
# * `ExportKeyIdentifier`: The `KeyARN` of the KEK or BDK (in case of
|
833
|
+
# IPEK) under export.
|
801
834
|
#
|
802
|
-
#
|
835
|
+
# * `KeyMaterial`: Use `Tr34KeyBlock` parameters.
|
803
836
|
#
|
804
|
-
#
|
837
|
+
# * `CertificateAuthorityPublicKeyIdentifier`: The `KeyARN` of the
|
838
|
+
# certificate chain that signed the KRD wrapping key certificate.
|
805
839
|
#
|
806
|
-
#
|
840
|
+
# * `ExportToken`: Obtained from KDH by calling GetParametersForImport.
|
807
841
|
#
|
808
|
-
#
|
809
|
-
#
|
842
|
+
# * `WrappingKeyCertificate`: The public key certificate in PEM format
|
843
|
+
# (base64 encoded) of the KRD wrapping key Amazon Web Services Payment
|
844
|
+
# Cryptography uses for encryption of the TR-34 export payload. This
|
845
|
+
# certificate must be signed by the root certificate
|
846
|
+
# (CertificateAuthorityPublicKeyIdentifier) imported into Amazon Web
|
847
|
+
# Services Payment Cryptography.
|
810
848
|
#
|
811
849
|
# When this operation is successful, Amazon Web Services Payment
|
812
|
-
# Cryptography returns the TR-34
|
850
|
+
# Cryptography returns the KEK or IPEK as a TR-34 WrappedKeyBlock.
|
813
851
|
#
|
814
|
-
# **
|
852
|
+
# **To export initial keys (KEK) or IPEK using RSA Wrap and Unwrap**
|
815
853
|
#
|
816
|
-
#
|
817
|
-
#
|
818
|
-
#
|
819
|
-
#
|
820
|
-
#
|
821
|
-
#
|
854
|
+
# Using this operation, you can export initial key using asymmetric RSA
|
855
|
+
# wrap and unwrap key exchange method. To initiate export, generate an
|
856
|
+
# asymmetric key pair on the receiving HSM and obtain the public key
|
857
|
+
# certificate in PEM format (base64 encoded) for the purpose of wrapping
|
858
|
+
# and the root certifiate chain. Import the root certificate into Amazon
|
859
|
+
# Web Services Payment Cryptography by calling ImportKey for
|
860
|
+
# `RootCertificatePublicKey`.
|
861
|
+
#
|
862
|
+
# Next call `ExportKey` and set the following parameters:
|
863
|
+
#
|
864
|
+
# * `CertificateAuthorityPublicKeyIdentifier`: The `KeyARN` of the
|
865
|
+
# certificate chain that signed wrapping key certificate.
|
866
|
+
#
|
867
|
+
# * `KeyMaterial`: Set to `KeyCryptogram`.
|
868
|
+
#
|
869
|
+
# * `WrappingKeyCertificate`: The public key certificate in PEM format
|
870
|
+
# (base64 encoded) obtained by the receiving HSM and signed by the
|
871
|
+
# root certificate (CertificateAuthorityPublicKeyIdentifier) imported
|
872
|
+
# into Amazon Web Services Payment Cryptography. The receiving HSM
|
873
|
+
# uses its private key component to unwrap the WrappedKeyCryptogram.
|
874
|
+
#
|
875
|
+
# When this operation is successful, Amazon Web Services Payment
|
876
|
+
# Cryptography returns the WrappedKeyCryptogram.
|
877
|
+
#
|
878
|
+
# **To export working keys or IPEK using TR-31**
|
879
|
+
#
|
880
|
+
# Using this operation, you can export working keys or IPEK using TR-31
|
881
|
+
# symmetric key exchange. In TR-31, you must use an initial key such as
|
882
|
+
# KEK to encrypt or wrap the key under export. To establish a KEK, you
|
883
|
+
# can use CreateKey or ImportKey.
|
884
|
+
#
|
885
|
+
# Set the following parameters:
|
886
|
+
#
|
887
|
+
# * `ExportAttributes`: Specify export attributes in case of IPEK
|
888
|
+
# export. This parameter is optional for KEK export.
|
889
|
+
#
|
890
|
+
# * `ExportKeyIdentifier`: The `KeyARN` of the KEK or BDK (in case of
|
891
|
+
# IPEK) under export.
|
892
|
+
#
|
893
|
+
# * `KeyMaterial`: Use `Tr31KeyBlock` parameters.
|
894
|
+
#
|
895
|
+
# When this operation is successful, Amazon Web Services Payment
|
896
|
+
# Cryptography returns the working key or IPEK as a TR-31
|
897
|
+
# WrappedKeyBlock.
|
822
898
|
#
|
823
899
|
# **Cross-account use:** This operation can't be used across different
|
824
900
|
# Amazon Web Services accounts.
|
@@ -829,6 +905,13 @@ module Aws::PaymentCryptography
|
|
829
905
|
#
|
830
906
|
# * ImportKey
|
831
907
|
#
|
908
|
+
#
|
909
|
+
#
|
910
|
+
# [1]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-export.html
|
911
|
+
#
|
912
|
+
# @option params [Types::ExportAttributes] :export_attributes
|
913
|
+
# The attributes for IPEK generation during export.
|
914
|
+
#
|
832
915
|
# @option params [required, String] :export_key_identifier
|
833
916
|
# The `KeyARN` of the key under export from Amazon Web Services Payment
|
834
917
|
# Cryptography.
|
@@ -844,8 +927,19 @@ module Aws::PaymentCryptography
|
|
844
927
|
# @example Request syntax with placeholder values
|
845
928
|
#
|
846
929
|
# resp = client.export_key({
|
930
|
+
# export_attributes: {
|
931
|
+
# export_dukpt_initial_key: {
|
932
|
+
# key_serial_number: "HexLength20Or24", # required
|
933
|
+
# },
|
934
|
+
# key_check_value_algorithm: "CMAC", # accepts CMAC, ANSI_X9_24
|
935
|
+
# },
|
847
936
|
# export_key_identifier: "KeyArnOrKeyAliasType", # required
|
848
937
|
# key_material: { # required
|
938
|
+
# key_cryptogram: {
|
939
|
+
# certificate_authority_public_key_identifier: "KeyArnOrKeyAliasType", # required
|
940
|
+
# wrapping_key_certificate: "CertificateType", # required
|
941
|
+
# wrapping_spec: "RSA_OAEP_SHA_256", # accepts RSA_OAEP_SHA_256, RSA_OAEP_SHA_512
|
942
|
+
# },
|
849
943
|
# tr_31_key_block: {
|
850
944
|
# wrapping_key_identifier: "KeyArnOrKeyAliasType", # required
|
851
945
|
# },
|
@@ -861,6 +955,8 @@ module Aws::PaymentCryptography
|
|
861
955
|
#
|
862
956
|
# @example Response structure
|
863
957
|
#
|
958
|
+
# resp.wrapped_key.key_check_value #=> String
|
959
|
+
# resp.wrapped_key.key_check_value_algorithm #=> String, one of "CMAC", "ANSI_X9_24"
|
864
960
|
# resp.wrapped_key.key_material #=> String
|
865
961
|
# resp.wrapped_key.wrapped_key_material_format #=> String, one of "KEY_CRYPTOGRAM", "TR31_KEY_BLOCK", "TR34_KEY_BLOCK"
|
866
962
|
# resp.wrapped_key.wrapping_key_arn #=> String
|
@@ -964,7 +1060,7 @@ module Aws::PaymentCryptography
|
|
964
1060
|
# resp.key.key_attributes.key_modes_of_use.unwrap #=> Boolean
|
965
1061
|
# resp.key.key_attributes.key_modes_of_use.verify #=> Boolean
|
966
1062
|
# resp.key.key_attributes.key_modes_of_use.wrap #=> Boolean
|
967
|
-
# resp.key.key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
|
1063
|
+
# resp.key.key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M1_ISO_9797_1_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
|
968
1064
|
# resp.key.key_check_value #=> String
|
969
1065
|
# resp.key.key_check_value_algorithm #=> String, one of "CMAC", "ANSI_X9_24"
|
970
1066
|
# resp.key.key_origin #=> String, one of "EXTERNAL", "AWS_PAYMENT_CRYPTOGRAPHY"
|
@@ -1008,8 +1104,7 @@ module Aws::PaymentCryptography
|
|
1008
1104
|
# @option params [required, String] :signing_key_algorithm
|
1009
1105
|
# The signing key algorithm to generate a signing key certificate. This
|
1010
1106
|
# certificate signs the wrapped key under export within the TR-34 key
|
1011
|
-
# block
|
1012
|
-
# allowed.
|
1107
|
+
# block. `RSA_2048` is the only signing key algorithm allowed.
|
1013
1108
|
#
|
1014
1109
|
# @return [Types::GetParametersForExportOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1015
1110
|
#
|
@@ -1022,7 +1117,7 @@ module Aws::PaymentCryptography
|
|
1022
1117
|
# @example Request syntax with placeholder values
|
1023
1118
|
#
|
1024
1119
|
# resp = client.get_parameters_for_export({
|
1025
|
-
# key_material_type: "TR34_KEY_BLOCK", # required, accepts TR34_KEY_BLOCK, TR31_KEY_BLOCK, ROOT_PUBLIC_KEY_CERTIFICATE, TRUSTED_PUBLIC_KEY_CERTIFICATE
|
1120
|
+
# key_material_type: "TR34_KEY_BLOCK", # required, accepts TR34_KEY_BLOCK, TR31_KEY_BLOCK, ROOT_PUBLIC_KEY_CERTIFICATE, TRUSTED_PUBLIC_KEY_CERTIFICATE, KEY_CRYPTOGRAM
|
1026
1121
|
# signing_key_algorithm: "TDES_2KEY", # required, accepts TDES_2KEY, TDES_3KEY, AES_128, AES_192, AES_256, RSA_2048, RSA_3072, RSA_4096
|
1027
1122
|
# })
|
1028
1123
|
#
|
@@ -1043,14 +1138,16 @@ module Aws::PaymentCryptography
|
|
1043
1138
|
req.send_request(options)
|
1044
1139
|
end
|
1045
1140
|
|
1046
|
-
# Gets the import token and the wrapping key certificate
|
1047
|
-
#
|
1141
|
+
# Gets the import token and the wrapping key certificate in PEM format
|
1142
|
+
# (base64 encoded) to initiate a TR-34 WrappedKeyBlock or a RSA
|
1143
|
+
# WrappedKeyCryptogram import into Amazon Web Services Payment
|
1144
|
+
# Cryptography.
|
1048
1145
|
#
|
1049
|
-
# The wrapping key certificate wraps the key under import
|
1050
|
-
#
|
1051
|
-
#
|
1052
|
-
#
|
1053
|
-
#
|
1146
|
+
# The wrapping key certificate wraps the key under import. The import
|
1147
|
+
# token and wrapping key certificate must be in place and operational
|
1148
|
+
# before calling ImportKey. The import token expires in 7 days. You can
|
1149
|
+
# use the same import token to import multiple keys into your service
|
1150
|
+
# account.
|
1054
1151
|
#
|
1055
1152
|
# **Cross-account use:** This operation can't be used across different
|
1056
1153
|
# Amazon Web Services accounts.
|
@@ -1062,14 +1159,21 @@ module Aws::PaymentCryptography
|
|
1062
1159
|
# * ImportKey
|
1063
1160
|
#
|
1064
1161
|
# @option params [required, String] :key_material_type
|
1065
|
-
# The
|
1066
|
-
#
|
1067
|
-
# `
|
1162
|
+
# The method to use for key material import. Import token is only
|
1163
|
+
# required for TR-34 WrappedKeyBlock (`TR34_KEY_BLOCK`) and RSA
|
1164
|
+
# WrappedKeyCryptogram (`KEY_CRYPTOGRAM`).
|
1165
|
+
#
|
1166
|
+
# Import token is not required for TR-31, root public key cerificate or
|
1167
|
+
# trusted public key certificate.
|
1068
1168
|
#
|
1069
1169
|
# @option params [required, String] :wrapping_key_algorithm
|
1070
1170
|
# The wrapping key algorithm to generate a wrapping key certificate.
|
1071
|
-
# This certificate wraps the key under import
|
1072
|
-
#
|
1171
|
+
# This certificate wraps the key under import.
|
1172
|
+
#
|
1173
|
+
# At this time, `RSA_2048` is the allowed algorithm for TR-34
|
1174
|
+
# WrappedKeyBlock import. Additionally, `RSA_2048`, `RSA_3072`,
|
1175
|
+
# `RSA_4096` are the allowed algorithms for RSA WrappedKeyCryptogram
|
1176
|
+
# import.
|
1073
1177
|
#
|
1074
1178
|
# @return [Types::GetParametersForImportOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1075
1179
|
#
|
@@ -1082,7 +1186,7 @@ module Aws::PaymentCryptography
|
|
1082
1186
|
# @example Request syntax with placeholder values
|
1083
1187
|
#
|
1084
1188
|
# resp = client.get_parameters_for_import({
|
1085
|
-
# key_material_type: "TR34_KEY_BLOCK", # required, accepts TR34_KEY_BLOCK, TR31_KEY_BLOCK, ROOT_PUBLIC_KEY_CERTIFICATE, TRUSTED_PUBLIC_KEY_CERTIFICATE
|
1189
|
+
# key_material_type: "TR34_KEY_BLOCK", # required, accepts TR34_KEY_BLOCK, TR31_KEY_BLOCK, ROOT_PUBLIC_KEY_CERTIFICATE, TRUSTED_PUBLIC_KEY_CERTIFICATE, KEY_CRYPTOGRAM
|
1086
1190
|
# wrapping_key_algorithm: "TDES_2KEY", # required, accepts TDES_2KEY, TDES_3KEY, AES_128, AES_192, AES_256, RSA_2048, RSA_3072, RSA_4096
|
1087
1191
|
# })
|
1088
1192
|
#
|
@@ -1144,29 +1248,41 @@ module Aws::PaymentCryptography
|
|
1144
1248
|
req.send_request(options)
|
1145
1249
|
end
|
1146
1250
|
|
1147
|
-
# Imports keys and public key certificates
|
1148
|
-
# Payment Cryptography.
|
1251
|
+
# Imports symmetric keys and public key certificates in PEM format
|
1252
|
+
# (base64 encoded) into Amazon Web Services Payment Cryptography.
|
1253
|
+
#
|
1254
|
+
# Amazon Web Services Payment Cryptography simplifies key exchange by
|
1255
|
+
# replacing the existing paper-based approach with a modern electronic
|
1256
|
+
# approach. With `ImportKey` you can import symmetric keys using either
|
1257
|
+
# symmetric and asymmetric key exchange mechanisms.
|
1258
|
+
#
|
1259
|
+
# For symmetric key exchange, Amazon Web Services Payment Cryptography
|
1260
|
+
# uses the ANSI X9 TR-31 norm in accordance with PCI PIN guidelines. And
|
1261
|
+
# for asymmetric key exchange, Amazon Web Services Payment Cryptography
|
1262
|
+
# supports ANSI X9 TR-34 norm and RSA wrap and unwrap key exchange
|
1263
|
+
# mechanisms. Asymmetric key exchange methods are typically used to
|
1264
|
+
# establish bi-directional trust between the two parties exhanging keys
|
1265
|
+
# and are used for initial key exchange such as Key Encryption Key (KEK)
|
1266
|
+
# or Zone Master Key (ZMK). After which you can import working keys
|
1267
|
+
# using symmetric method to perform various cryptographic operations
|
1268
|
+
# within Amazon Web Services Payment Cryptography.
|
1149
1269
|
#
|
1150
|
-
#
|
1151
|
-
#
|
1152
|
-
#
|
1153
|
-
#
|
1270
|
+
# The TR-34 norm is intended for exchanging 3DES keys only and keys are
|
1271
|
+
# imported in a WrappedKeyBlock format. Key attributes (such as
|
1272
|
+
# KeyUsage, KeyAlgorithm, KeyModesOfUse, Exportability) are contained
|
1273
|
+
# within the key block. With RSA wrap and unwrap, you can exchange both
|
1274
|
+
# 3DES and AES-128 keys. The keys are imported in a WrappedKeyCryptogram
|
1275
|
+
# format and you will need to specify the key attributes during import.
|
1154
1276
|
#
|
1155
|
-
# You can
|
1156
|
-
#
|
1157
|
-
#
|
1158
|
-
# keys to establishes bi-directional trust between the two parties
|
1159
|
-
# exchanging keys.
|
1277
|
+
# You can also import a *root public key certificate*, used to sign
|
1278
|
+
# other public key certificates, or a *trusted public key certificate*
|
1279
|
+
# under an already established root public key certificate.
|
1160
1280
|
#
|
1161
|
-
#
|
1162
|
-
# keys to perform various cryptographic operations within Amazon Web
|
1163
|
-
# Services Payment Cryptography using the ANSI X9 TR-31 symmetric key
|
1164
|
-
# exchange standard as mandated by PCI PIN.
|
1281
|
+
# **To import a public root key certificate**
|
1165
1282
|
#
|
1166
|
-
# You can also import a *root public key certificate*,
|
1167
|
-
#
|
1168
|
-
#
|
1169
|
-
# certificate.
|
1283
|
+
# You can also import a *root public key certificate*, used to sign
|
1284
|
+
# other public key certificates, or a *trusted public key certificate*
|
1285
|
+
# under an already established root public key certificate.
|
1170
1286
|
#
|
1171
1287
|
# **To import a public root key certificate**
|
1172
1288
|
#
|
@@ -1186,8 +1302,8 @@ module Aws::PaymentCryptography
|
|
1186
1302
|
#
|
1187
1303
|
# * `KeyUsage`: `TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE`
|
1188
1304
|
#
|
1189
|
-
# * `PublicKeyCertificate`: The
|
1190
|
-
# root
|
1305
|
+
# * `PublicKeyCertificate`: The public key certificate in PEM format
|
1306
|
+
# (base64 encoded) of the private root key under import.
|
1191
1307
|
#
|
1192
1308
|
# **To import a trusted public key certificate**
|
1193
1309
|
#
|
@@ -1204,59 +1320,87 @@ module Aws::PaymentCryptography
|
|
1204
1320
|
# operations such as wrap, sign, or encrypt that you will allow the
|
1205
1321
|
# trusted public key certificate to perform.
|
1206
1322
|
#
|
1207
|
-
# * `PublicKeyCertificate`: The
|
1208
|
-
#
|
1323
|
+
# * `PublicKeyCertificate`: The trusted public key certificate in PEM
|
1324
|
+
# format (base64 encoded) under import.
|
1325
|
+
#
|
1326
|
+
# **To import initial keys (KEK or ZMK or similar) using TR-34**
|
1327
|
+
#
|
1328
|
+
# Using this operation, you can import initial key using TR-34
|
1329
|
+
# asymmetric key exchange. In TR-34 terminology, the sending party of
|
1330
|
+
# the key is called Key Distribution Host (KDH) and the receiving party
|
1331
|
+
# of the key is called Key Receiving Device (KRD). During the key import
|
1332
|
+
# process, KDH is the user who initiates the key import and KRD is
|
1333
|
+
# Amazon Web Services Payment Cryptography who receives the key.
|
1334
|
+
#
|
1335
|
+
# To initiate TR-34 key import, the KDH must obtain an import token by
|
1336
|
+
# calling GetParametersForImport. This operation generates an encryption
|
1337
|
+
# keypair for the purpose of key import, signs the key and returns back
|
1338
|
+
# the wrapping key certificate (also known as KRD wrapping certificate)
|
1339
|
+
# and the root certificate chain. The KDH must trust and install the KRD
|
1340
|
+
# wrapping certificate on its HSM and use it to encrypt (wrap) the KDH
|
1341
|
+
# key during TR-34 WrappedKeyBlock generation. The import token and
|
1342
|
+
# associated KRD wrapping certificate expires after 7 days.
|
1343
|
+
#
|
1344
|
+
# Next the KDH generates a key pair for the purpose of signing the
|
1345
|
+
# encrypted KDH key and provides the public certificate of the signing
|
1346
|
+
# key to Amazon Web Services Payment Cryptography. The KDH will also
|
1347
|
+
# need to import the root certificate chain of the KDH signing
|
1348
|
+
# certificate by calling `ImportKey` for `RootCertificatePublicKey`. For
|
1349
|
+
# more information on TR-34 key import, see section [Importing symmetric
|
1350
|
+
# keys][1] in the *Amazon Web Services Payment Cryptography User Guide*.
|
1209
1351
|
#
|
1210
|
-
#
|
1352
|
+
# Set the following parameters:
|
1211
1353
|
#
|
1212
|
-
#
|
1213
|
-
# exchange standard to import main keys such as KEK. In TR-34
|
1214
|
-
# terminology, the sending party of the key is called Key Distribution
|
1215
|
-
# Host (KDH) and the receiving party of the key is called Key Receiving
|
1216
|
-
# Host (KRH). During the key import process, KDH is the user who
|
1217
|
-
# initiates the key import and KRH is Amazon Web Services Payment
|
1218
|
-
# Cryptography who receives the key. Before initiating TR-34 key import,
|
1219
|
-
# you must obtain an import token by calling GetParametersForImport.
|
1220
|
-
# This operation also returns the wrapping key certificate that KDH uses
|
1221
|
-
# wrap key under import to generate a TR-34 wrapped key block. The
|
1222
|
-
# import token expires after 7 days.
|
1354
|
+
# * `KeyMaterial`: Use `Tr34KeyBlock` parameters.
|
1223
1355
|
#
|
1224
|
-
#
|
1356
|
+
# * `CertificateAuthorityPublicKeyIdentifier`: The `KeyARN` of the
|
1357
|
+
# certificate chain that signed the KDH signing key certificate.
|
1225
1358
|
#
|
1226
|
-
# * `
|
1227
|
-
# certificate chain that will sign the signing key certificate and
|
1228
|
-
# should exist within Amazon Web Services Payment Cryptography before
|
1229
|
-
# initiating TR-34 key import. If it does not exist, you can import it
|
1230
|
-
# by calling by calling `ImportKey` for `RootCertificatePublicKey`.
|
1359
|
+
# * `ImportToken`: Obtained from KRD by calling GetParametersForImport.
|
1231
1360
|
#
|
1232
|
-
# * `
|
1361
|
+
# * `WrappedKeyBlock`: The TR-34 wrapped key material from KDH. It
|
1362
|
+
# contains the KDH key under import, wrapped with KRD wrapping
|
1363
|
+
# certificate and signed by KDH signing private key. This TR-34 key
|
1364
|
+
# block is typically generated by the KDH Hardware Security Module
|
1365
|
+
# (HSM) outside of Amazon Web Services Payment Cryptography.
|
1233
1366
|
#
|
1234
|
-
# * `
|
1235
|
-
#
|
1236
|
-
# certificate
|
1237
|
-
#
|
1238
|
-
# outside of Amazon Web Services Payment Cryptography.
|
1367
|
+
# * `SigningKeyCertificate`: The public key certificate in PEM format
|
1368
|
+
# (base64 encoded) of the KDH signing key generated under the root
|
1369
|
+
# certificate (CertificateAuthorityPublicKeyIdentifier) imported in
|
1370
|
+
# Amazon Web Services Payment Cryptography.
|
1239
1371
|
#
|
1240
|
-
#
|
1241
|
-
#
|
1242
|
-
# format.
|
1372
|
+
# **To import initial keys (KEK or ZMK or similar) using RSA Wrap and
|
1373
|
+
# Unwrap**
|
1243
1374
|
#
|
1244
|
-
#
|
1245
|
-
#
|
1246
|
-
#
|
1375
|
+
# Using this operation, you can import initial key using asymmetric RSA
|
1376
|
+
# wrap and unwrap key exchange method. To initiate import, call
|
1377
|
+
# GetParametersForImport with `KeyMaterial` set to `KEY_CRYPTOGRAM` to
|
1378
|
+
# generate an import token. This operation also generates an encryption
|
1379
|
+
# keypair for the purpose of key import, signs the key and returns back
|
1380
|
+
# the wrapping key certificate in PEM format (base64 encoded) and its
|
1381
|
+
# root certificate chain. The import token and associated KRD wrapping
|
1382
|
+
# certificate expires after 7 days.
|
1247
1383
|
#
|
1248
|
-
#
|
1384
|
+
# You must trust and install the wrapping certificate and its
|
1385
|
+
# certificate chain on the sending HSM and use it to wrap the key under
|
1386
|
+
# export for WrappedKeyCryptogram generation. Next call `ImportKey` with
|
1387
|
+
# `KeyMaterial` set to `KEY_CRYPTOGRAM` and provide the `ImportToken`
|
1388
|
+
# and `KeyAttributes` for the key under import.
|
1249
1389
|
#
|
1250
|
-
# **
|
1390
|
+
# **To import working keys using TR-31**
|
1251
1391
|
#
|
1252
1392
|
# Amazon Web Services Payment Cryptography uses TR-31 symmetric key
|
1253
|
-
# exchange
|
1254
|
-
#
|
1255
|
-
#
|
1393
|
+
# exchange norm to import working keys. A KEK must be established within
|
1394
|
+
# Amazon Web Services Payment Cryptography by using TR-34 key import or
|
1395
|
+
# by using CreateKey. To initiate a TR-31 key import, set the following
|
1396
|
+
# parameters:
|
1256
1397
|
#
|
1257
|
-
# * `
|
1258
|
-
#
|
1259
|
-
#
|
1398
|
+
# * `KeyMaterial`: Use `Tr31KeyBlock` parameters.
|
1399
|
+
#
|
1400
|
+
# * `WrappedKeyBlock`: The TR-31 wrapped key material. It contains the
|
1401
|
+
# key under import, encrypted using KEK. The TR-31 key block is
|
1402
|
+
# typically generated by a HSM outside of Amazon Web Services Payment
|
1403
|
+
# Cryptography.
|
1260
1404
|
#
|
1261
1405
|
# * `WrappingKeyIdentifier`: The `KeyArn` of the KEK that Amazon Web
|
1262
1406
|
# Services Payment Cryptography uses to decrypt or unwrap the key
|
@@ -1271,41 +1415,45 @@ module Aws::PaymentCryptography
|
|
1271
1415
|
#
|
1272
1416
|
# * GetParametersForImport
|
1273
1417
|
#
|
1418
|
+
#
|
1419
|
+
#
|
1420
|
+
# [1]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-import.html
|
1421
|
+
#
|
1274
1422
|
# @option params [Boolean] :enabled
|
1275
1423
|
# Specifies whether import key is enabled.
|
1276
1424
|
#
|
1277
1425
|
# @option params [String] :key_check_value_algorithm
|
1278
1426
|
# The algorithm that Amazon Web Services Payment Cryptography uses to
|
1279
|
-
# calculate the key check value (KCV)
|
1427
|
+
# calculate the key check value (KCV). It is used to validate the key
|
1428
|
+
# integrity.
|
1280
1429
|
#
|
1281
|
-
# For
|
1282
|
-
# value
|
1283
|
-
# order bytes of the encrypted result. For AES
|
1284
|
-
#
|
1285
|
-
#
|
1286
|
-
# result.
|
1430
|
+
# For TDES keys, the KCV is computed by encrypting 8 bytes, each with
|
1431
|
+
# value of zero, with the key to be checked and retaining the 3 highest
|
1432
|
+
# order bytes of the encrypted result. For AES keys, the KCV is computed
|
1433
|
+
# using a CMAC algorithm where the input data is 16 bytes of zero and
|
1434
|
+
# retaining the 3 highest order bytes of the encrypted result.
|
1287
1435
|
#
|
1288
1436
|
# @option params [required, Types::ImportKeyMaterial] :key_material
|
1289
1437
|
# The key or public key certificate type to use during key material
|
1290
1438
|
# import, for example TR-34 or RootCertificatePublicKey.
|
1291
1439
|
#
|
1292
1440
|
# @option params [Array<Types::Tag>] :tags
|
1293
|
-
#
|
1294
|
-
#
|
1295
|
-
# tag
|
1296
|
-
#
|
1297
|
-
#
|
1298
|
-
#
|
1299
|
-
#
|
1300
|
-
#
|
1301
|
-
# key with
|
1302
|
-
#
|
1303
|
-
#
|
1304
|
-
#
|
1305
|
-
#
|
1306
|
-
# Don't include confidential or sensitive information in this
|
1307
|
-
# This field may be displayed in plaintext in CloudTrail logs and
|
1308
|
-
# output.
|
1441
|
+
# Assigns one or more tags to the Amazon Web Services Payment
|
1442
|
+
# Cryptography key. Use this parameter to tag a key when it is imported.
|
1443
|
+
# To tag an existing Amazon Web Services Payment Cryptography key, use
|
1444
|
+
# the TagResource operation.
|
1445
|
+
#
|
1446
|
+
# Each tag consists of a tag key and a tag value. Both the tag key and
|
1447
|
+
# the tag value are required, but the tag value can be an empty (null)
|
1448
|
+
# string. You can't have more than one tag on an Amazon Web Services
|
1449
|
+
# Payment Cryptography key with the same tag key. If you specify an
|
1450
|
+
# existing tag key with a different tag value, Amazon Web Services
|
1451
|
+
# Payment Cryptography replaces the current tag value with the specified
|
1452
|
+
# one.
|
1453
|
+
#
|
1454
|
+
# Don't include personal, confidential or sensitive information in this
|
1455
|
+
# field. This field may be displayed in plaintext in CloudTrail logs and
|
1456
|
+
# other output.
|
1309
1457
|
#
|
1310
1458
|
# <note markdown="1"> Tagging or untagging an Amazon Web Services Payment Cryptography key
|
1311
1459
|
# can allow or deny permission to the key.
|
@@ -1322,6 +1470,28 @@ module Aws::PaymentCryptography
|
|
1322
1470
|
# enabled: false,
|
1323
1471
|
# key_check_value_algorithm: "CMAC", # accepts CMAC, ANSI_X9_24
|
1324
1472
|
# key_material: { # required
|
1473
|
+
# key_cryptogram: {
|
1474
|
+
# exportable: false, # required
|
1475
|
+
# import_token: "ImportTokenId", # required
|
1476
|
+
# key_attributes: { # required
|
1477
|
+
# key_algorithm: "TDES_2KEY", # required, accepts TDES_2KEY, TDES_3KEY, AES_128, AES_192, AES_256, RSA_2048, RSA_3072, RSA_4096
|
1478
|
+
# key_class: "SYMMETRIC_KEY", # required, accepts SYMMETRIC_KEY, ASYMMETRIC_KEY_PAIR, PRIVATE_KEY, PUBLIC_KEY
|
1479
|
+
# key_modes_of_use: { # required
|
1480
|
+
# decrypt: false,
|
1481
|
+
# derive_key: false,
|
1482
|
+
# encrypt: false,
|
1483
|
+
# generate: false,
|
1484
|
+
# no_restrictions: false,
|
1485
|
+
# sign: false,
|
1486
|
+
# unwrap: false,
|
1487
|
+
# verify: false,
|
1488
|
+
# wrap: false,
|
1489
|
+
# },
|
1490
|
+
# key_usage: "TR31_B0_BASE_DERIVATION_KEY", # required, accepts TR31_B0_BASE_DERIVATION_KEY, TR31_C0_CARD_VERIFICATION_KEY, TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY, TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION, TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS, TR31_E1_EMV_MKEY_CONFIDENTIALITY, TR31_E2_EMV_MKEY_INTEGRITY, TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS, TR31_E5_EMV_MKEY_CARD_PERSONALIZATION, TR31_E6_EMV_MKEY_OTHER, TR31_K0_KEY_ENCRYPTION_KEY, TR31_K1_KEY_BLOCK_PROTECTION_KEY, TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT, TR31_M3_ISO_9797_3_MAC_KEY, TR31_M1_ISO_9797_1_MAC_KEY, TR31_M6_ISO_9797_5_CMAC_KEY, TR31_M7_HMAC_KEY, TR31_P0_PIN_ENCRYPTION_KEY, TR31_P1_PIN_GENERATION_KEY, TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE, TR31_V1_IBM3624_PIN_VERIFICATION_KEY, TR31_V2_VISA_PIN_VERIFICATION_KEY, TR31_K2_TR34_ASYMMETRIC_KEY
|
1491
|
+
# },
|
1492
|
+
# wrapped_key_cryptogram: "WrappedKeyCryptogram", # required
|
1493
|
+
# wrapping_spec: "RSA_OAEP_SHA_256", # accepts RSA_OAEP_SHA_256, RSA_OAEP_SHA_512
|
1494
|
+
# },
|
1325
1495
|
# root_certificate_public_key: {
|
1326
1496
|
# key_attributes: { # required
|
1327
1497
|
# key_algorithm: "TDES_2KEY", # required, accepts TDES_2KEY, TDES_3KEY, AES_128, AES_192, AES_256, RSA_2048, RSA_3072, RSA_4096
|
@@ -1337,7 +1507,7 @@ module Aws::PaymentCryptography
|
|
1337
1507
|
# verify: false,
|
1338
1508
|
# wrap: false,
|
1339
1509
|
# },
|
1340
|
-
# key_usage: "TR31_B0_BASE_DERIVATION_KEY", # required, accepts TR31_B0_BASE_DERIVATION_KEY, TR31_C0_CARD_VERIFICATION_KEY, TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY, TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION, TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS, TR31_E1_EMV_MKEY_CONFIDENTIALITY, TR31_E2_EMV_MKEY_INTEGRITY, TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS, TR31_E5_EMV_MKEY_CARD_PERSONALIZATION, TR31_E6_EMV_MKEY_OTHER, TR31_K0_KEY_ENCRYPTION_KEY, TR31_K1_KEY_BLOCK_PROTECTION_KEY, TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT, TR31_M3_ISO_9797_3_MAC_KEY, TR31_M6_ISO_9797_5_CMAC_KEY, TR31_M7_HMAC_KEY, TR31_P0_PIN_ENCRYPTION_KEY, TR31_P1_PIN_GENERATION_KEY, TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE, TR31_V1_IBM3624_PIN_VERIFICATION_KEY, TR31_V2_VISA_PIN_VERIFICATION_KEY, TR31_K2_TR34_ASYMMETRIC_KEY
|
1510
|
+
# key_usage: "TR31_B0_BASE_DERIVATION_KEY", # required, accepts TR31_B0_BASE_DERIVATION_KEY, TR31_C0_CARD_VERIFICATION_KEY, TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY, TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION, TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS, TR31_E1_EMV_MKEY_CONFIDENTIALITY, TR31_E2_EMV_MKEY_INTEGRITY, TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS, TR31_E5_EMV_MKEY_CARD_PERSONALIZATION, TR31_E6_EMV_MKEY_OTHER, TR31_K0_KEY_ENCRYPTION_KEY, TR31_K1_KEY_BLOCK_PROTECTION_KEY, TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT, TR31_M3_ISO_9797_3_MAC_KEY, TR31_M1_ISO_9797_1_MAC_KEY, TR31_M6_ISO_9797_5_CMAC_KEY, TR31_M7_HMAC_KEY, TR31_P0_PIN_ENCRYPTION_KEY, TR31_P1_PIN_GENERATION_KEY, TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE, TR31_V1_IBM3624_PIN_VERIFICATION_KEY, TR31_V2_VISA_PIN_VERIFICATION_KEY, TR31_K2_TR34_ASYMMETRIC_KEY
|
1341
1511
|
# },
|
1342
1512
|
# public_key_certificate: "CertificateType", # required
|
1343
1513
|
# },
|
@@ -1369,7 +1539,7 @@ module Aws::PaymentCryptography
|
|
1369
1539
|
# verify: false,
|
1370
1540
|
# wrap: false,
|
1371
1541
|
# },
|
1372
|
-
# key_usage: "TR31_B0_BASE_DERIVATION_KEY", # required, accepts TR31_B0_BASE_DERIVATION_KEY, TR31_C0_CARD_VERIFICATION_KEY, TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY, TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION, TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS, TR31_E1_EMV_MKEY_CONFIDENTIALITY, TR31_E2_EMV_MKEY_INTEGRITY, TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS, TR31_E5_EMV_MKEY_CARD_PERSONALIZATION, TR31_E6_EMV_MKEY_OTHER, TR31_K0_KEY_ENCRYPTION_KEY, TR31_K1_KEY_BLOCK_PROTECTION_KEY, TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT, TR31_M3_ISO_9797_3_MAC_KEY, TR31_M6_ISO_9797_5_CMAC_KEY, TR31_M7_HMAC_KEY, TR31_P0_PIN_ENCRYPTION_KEY, TR31_P1_PIN_GENERATION_KEY, TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE, TR31_V1_IBM3624_PIN_VERIFICATION_KEY, TR31_V2_VISA_PIN_VERIFICATION_KEY, TR31_K2_TR34_ASYMMETRIC_KEY
|
1542
|
+
# key_usage: "TR31_B0_BASE_DERIVATION_KEY", # required, accepts TR31_B0_BASE_DERIVATION_KEY, TR31_C0_CARD_VERIFICATION_KEY, TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY, TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION, TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS, TR31_E1_EMV_MKEY_CONFIDENTIALITY, TR31_E2_EMV_MKEY_INTEGRITY, TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS, TR31_E5_EMV_MKEY_CARD_PERSONALIZATION, TR31_E6_EMV_MKEY_OTHER, TR31_K0_KEY_ENCRYPTION_KEY, TR31_K1_KEY_BLOCK_PROTECTION_KEY, TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT, TR31_M3_ISO_9797_3_MAC_KEY, TR31_M1_ISO_9797_1_MAC_KEY, TR31_M6_ISO_9797_5_CMAC_KEY, TR31_M7_HMAC_KEY, TR31_P0_PIN_ENCRYPTION_KEY, TR31_P1_PIN_GENERATION_KEY, TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE, TR31_V1_IBM3624_PIN_VERIFICATION_KEY, TR31_V2_VISA_PIN_VERIFICATION_KEY, TR31_K2_TR34_ASYMMETRIC_KEY
|
1373
1543
|
# },
|
1374
1544
|
# public_key_certificate: "CertificateType", # required
|
1375
1545
|
# },
|
@@ -1401,7 +1571,7 @@ module Aws::PaymentCryptography
|
|
1401
1571
|
# resp.key.key_attributes.key_modes_of_use.unwrap #=> Boolean
|
1402
1572
|
# resp.key.key_attributes.key_modes_of_use.verify #=> Boolean
|
1403
1573
|
# resp.key.key_attributes.key_modes_of_use.wrap #=> Boolean
|
1404
|
-
# resp.key.key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
|
1574
|
+
# resp.key.key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M1_ISO_9797_1_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
|
1405
1575
|
# resp.key.key_check_value #=> String
|
1406
1576
|
# resp.key.key_check_value_algorithm #=> String, one of "CMAC", "ANSI_X9_24"
|
1407
1577
|
# resp.key.key_origin #=> String, one of "EXTERNAL", "AWS_PAYMENT_CRYPTOGRAPHY"
|
@@ -1521,6 +1691,9 @@ module Aws::PaymentCryptography
|
|
1521
1691
|
# does not return more than the specified number of items, but it might
|
1522
1692
|
# return fewer.
|
1523
1693
|
#
|
1694
|
+
# This value is optional. If you include a value, it must be between 1
|
1695
|
+
# and 100, inclusive. If you do not include a value, it defaults to 50.
|
1696
|
+
#
|
1524
1697
|
# @option params [String] :next_token
|
1525
1698
|
# Use this parameter in a subsequent request after you receive a
|
1526
1699
|
# response with truncated results. Set it to the value of `NextToken`
|
@@ -1558,7 +1731,7 @@ module Aws::PaymentCryptography
|
|
1558
1731
|
# resp.keys[0].key_attributes.key_modes_of_use.unwrap #=> Boolean
|
1559
1732
|
# resp.keys[0].key_attributes.key_modes_of_use.verify #=> Boolean
|
1560
1733
|
# resp.keys[0].key_attributes.key_modes_of_use.wrap #=> Boolean
|
1561
|
-
# resp.keys[0].key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
|
1734
|
+
# resp.keys[0].key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M1_ISO_9797_1_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
|
1562
1735
|
# resp.keys[0].key_check_value #=> String
|
1563
1736
|
# resp.keys[0].key_state #=> String, one of "CREATE_IN_PROGRESS", "CREATE_COMPLETE", "DELETE_PENDING", "DELETE_COMPLETE"
|
1564
1737
|
# resp.next_token #=> String
|
@@ -1596,6 +1769,9 @@ module Aws::PaymentCryptography
|
|
1596
1769
|
# does not return more than the specified number of items, but it might
|
1597
1770
|
# return fewer.
|
1598
1771
|
#
|
1772
|
+
# This value is optional. If you include a value, it must be between 1
|
1773
|
+
# and 100, inclusive. If you do not include a value, it defaults to 50.
|
1774
|
+
#
|
1599
1775
|
# @option params [String] :next_token
|
1600
1776
|
# Use this parameter in a subsequent request after you receive a
|
1601
1777
|
# response with truncated results. Set it to the value of `NextToken`
|
@@ -1688,7 +1864,7 @@ module Aws::PaymentCryptography
|
|
1688
1864
|
# resp.key.key_attributes.key_modes_of_use.unwrap #=> Boolean
|
1689
1865
|
# resp.key.key_attributes.key_modes_of_use.verify #=> Boolean
|
1690
1866
|
# resp.key.key_attributes.key_modes_of_use.wrap #=> Boolean
|
1691
|
-
# resp.key.key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
|
1867
|
+
# resp.key.key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M1_ISO_9797_1_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
|
1692
1868
|
# resp.key.key_check_value #=> String
|
1693
1869
|
# resp.key.key_check_value_algorithm #=> String, one of "CMAC", "ANSI_X9_24"
|
1694
1870
|
# resp.key.key_origin #=> String, one of "EXTERNAL", "AWS_PAYMENT_CRYPTOGRAPHY"
|
@@ -1750,7 +1926,7 @@ module Aws::PaymentCryptography
|
|
1750
1926
|
# resp.key.key_attributes.key_modes_of_use.unwrap #=> Boolean
|
1751
1927
|
# resp.key.key_attributes.key_modes_of_use.verify #=> Boolean
|
1752
1928
|
# resp.key.key_attributes.key_modes_of_use.wrap #=> Boolean
|
1753
|
-
# resp.key.key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
|
1929
|
+
# resp.key.key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M1_ISO_9797_1_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
|
1754
1930
|
# resp.key.key_check_value #=> String
|
1755
1931
|
# resp.key.key_check_value_algorithm #=> String, one of "CMAC", "ANSI_X9_24"
|
1756
1932
|
# resp.key.key_origin #=> String, one of "EXTERNAL", "AWS_PAYMENT_CRYPTOGRAPHY"
|
@@ -1814,7 +1990,7 @@ module Aws::PaymentCryptography
|
|
1814
1990
|
# resp.key.key_attributes.key_modes_of_use.unwrap #=> Boolean
|
1815
1991
|
# resp.key.key_attributes.key_modes_of_use.verify #=> Boolean
|
1816
1992
|
# resp.key.key_attributes.key_modes_of_use.wrap #=> Boolean
|
1817
|
-
# resp.key.key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
|
1993
|
+
# resp.key.key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M1_ISO_9797_1_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
|
1818
1994
|
# resp.key.key_check_value #=> String
|
1819
1995
|
# resp.key.key_check_value_algorithm #=> String, one of "CMAC", "ANSI_X9_24"
|
1820
1996
|
# resp.key.key_origin #=> String, one of "EXTERNAL", "AWS_PAYMENT_CRYPTOGRAPHY"
|
@@ -1865,16 +2041,16 @@ module Aws::PaymentCryptography
|
|
1865
2041
|
# value, Amazon Web Services Payment Cryptography replaces the current
|
1866
2042
|
# tag value with the new one.
|
1867
2043
|
#
|
1868
|
-
# Don't include confidential or sensitive information in this
|
1869
|
-
# This field may be displayed in plaintext in CloudTrail logs and
|
1870
|
-
# output.
|
2044
|
+
# Don't include personal, confidential or sensitive information in this
|
2045
|
+
# field. This field may be displayed in plaintext in CloudTrail logs and
|
2046
|
+
# other output.
|
1871
2047
|
#
|
1872
2048
|
# To use this parameter, you must have TagResource permission in an IAM
|
1873
2049
|
# policy.
|
1874
2050
|
#
|
1875
|
-
# Don't include confidential or sensitive information in this
|
1876
|
-
# This field may be displayed in plaintext in CloudTrail logs and
|
1877
|
-
# output.
|
2051
|
+
# Don't include personal, confidential or sensitive information in this
|
2052
|
+
# field. This field may be displayed in plaintext in CloudTrail logs and
|
2053
|
+
# other output.
|
1878
2054
|
#
|
1879
2055
|
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
1880
2056
|
#
|
@@ -2009,7 +2185,7 @@ module Aws::PaymentCryptography
|
|
2009
2185
|
params: params,
|
2010
2186
|
config: config)
|
2011
2187
|
context[:gem_name] = 'aws-sdk-paymentcryptography'
|
2012
|
-
context[:gem_version] = '1.
|
2188
|
+
context[:gem_version] = '1.10.0'
|
2013
2189
|
Seahorse::Client::Request.new(handlers, context)
|
2014
2190
|
end
|
2015
2191
|
|